1. Field of the Invention
The present invention relates to a communication system, a router, a method of communication, a method of routing and a computer program product that prevent a response packet alteration through impersonation in a network environment where IPv6 anycast address is employed.
2. Description of the Related Art
In recent years, a mainstream IP address format for the Internet is shifting from IPv4 which is an addressing architecture with 32-bit length to IPv6 (Internet Protocol, Version 6) which is an addressing architecture with 128-bit length. One feature of the IPv6 addressing architecture is an introduction of an “anycast address.” The anycast address is, as defined in IETF RFC2460 Internet Protocol, Version 6 (IPv6) Specification, an address allocated to plural interfaces on plural nodes dissimilar to the unicast address, though the anycast address is utilized similarly to the unicast address in terms of routing.
Hence, when a packet is sent from a certain node to an anycast address, the packet is sent to a nearest node with this anycast address on the route. Even if the nearest node with the anycast address encounters some problems on receiving the packet, once the routing information is gathered, the packet can be automatically be sent to a second best node to which the same anycast address has been allocated. Such feature of the anycast address can be utilized to provide a high-redundancy service. For example, if a known anycast address is allocated to plural servers that provide a predetermined service, such service can be supplied with high redundancy without any particular setting or modification of an end-host.
In a field of the Internet communication, security is a pressing issue to prevent attacks from an illegitimate node impersonating a legitimate node. For example, in the service provision using the unicast address, a communication apparatus which is a client in the network can compare a destination address of an inquiry packet and a sender's address of a packet responding thereto to find out-whether the two addresses match. On finding out that the two do not match, the client can determine that the received packet is sent from a fake node thereby prevent the malicious attack from a fake node impersonating a legitimate node.
On the other hand, the malicious fake node may set a proper sender's address in an IP header disguising a true identity. To deal with such an attack, one can reduce a exposure to the attack to a certain degree by a filtering, for example, by validating a sender's address at a router provided on a site border, not only by validating a sender's address at the client's side.
According to the IPv6, however, the anycast address cannot be set in the sender's address field in the IP header. When the server receives a packet destined for an anycast address from a client communication apparatus, the server needs to set server's own unicast address in the sender's address field in the IP header of a response packet in order to send the response packet to the client communication apparatus.
Thus, in general, the utilization of the anycast address implies increased likelihood of attacks through impersonation by malicious nodes.
Assume that an anycast address is allocated to the server, and the client communication apparatus sends an inquiry packet destined for the anycast address to the server. Here, the client communication apparatus cannot know the server's unicast address in advance, and is unable to validate if the unicast address set in the sender's address field in the IP header of the response packet is a correct address of the legitimate server. Then, the client communication apparatus cannot take any measures but accept response packets with any sender's address.
Thus, when the communication apparatus sends an inquiry packet to the server using the anycast address, a fake node impersonating the legitimate server can send back a fake response packet without using a legitimate sender's address for the response packet. Therefore the communication using the anycast address is more immune to attacks by impersonation of malicious nodes than the communication using the unicast address. In addition, in the communication using the anycast address, the legitimacy of the sender node is difficult to validate.
Further, even when the filtering is performed to validate the legitimacy of the sender's address, it is difficult to prevent the attack from a malicious node inside the site since the site boundary also demarcates the filtering area.